How we choose our password has changed over the years. I remember in 1994 we were told in University that our Solaris sysadmin was turning on mandatory passwords and we revolted. At first we tried all using the same password, and then that password got blocked. Every new "group password" we created would cause another forced round of password resets. In the end we resigned to it - if we wanted to share homework, it wasn't going to be by browsing to our friend's home folder and copying it over. And as we all know now, these password controls ended up being for the best, as data became more valuable. At first, a word and possibly a number seemed like enough. Then dictionary attacks, which work by trying to bruteforce passwords based on common words, made it fairly easy to crack a one word password.
In the early 2000s we were being educated to create passwords that were harder to guess and immune to brute forcing by, wait for it, using two possibly unrelated words. E.g. "umbrella cow" Complexity rules were added to ensure we also had a capital letter, a number, and the special character was icing on the cake. Though in most cases that special character was likely the ! at the end of the password. Umbre11acow!
By 2010 I began to hear about tips, like using the first letter of easy to remember phrases. Based on song titles, based on funny phrases, or how about "pronounceable". Okay these are probably better than the two words approach but each of these has their own weaknesses too. For example, passwords based on bible phrases are certainly going to be less secure than passwords created from a sentence known only to you. And I personally would never use an online tool to create a "funny phrase" for me to use as a password - why not just ask the password crackers to assign you a password?
It is 2016 and the truth is that there is overwhelming opinion that passwords are broken. That is, the only good password is a random password. Password vaults have made "memorizing" passwords a thing of the past. For authentication, always use two factor or multi-factor options if they are available to you. Welcome to the age of data phones where biometrics are protecting our password stores on our mobile devices. Where we store our passwords, which I hope have been updated since we created them in 1998. :-)
- AMW
No comments:
Post a Comment